From f6118febc7da1dd1337e9266816cd9315e91cbcd Mon Sep 17 00:00:00 2001
From: "data-plane-api(Azure Pipelines)"
 <data-plane-api@users.noreply.github.com>
Date: Mon, 13 Sep 2021 15:32:28 +0000
Subject: [PATCH] ext_authz: Use 403 as default for denied response (#18010)

Before this, when a gRPC server sends out DeniedResponse as a check
response for a request but without setting the
HttpResponse.DeniedResponse.Status, HTTP ext_authz filter translates
that as "0" (empty/unknown HTTP status code). This patch makes sure we
reply with a valid 403 Forbidden HTTP status code (the current default
status code for denied response).

Signed-off-by: Dhi Aurrahman <dio@rockybars.com>

Mirrored from https://github.com/envoyproxy/envoy @ e3af0943fff8444660a797cce6a78fd956e3c2cf
---
 envoy/service/auth/v3/external_auth.proto | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/envoy/service/auth/v3/external_auth.proto b/envoy/service/auth/v3/external_auth.proto
index b627fcb3..31adbc16 100644
--- a/envoy/service/auth/v3/external_auth.proto
+++ b/envoy/service/auth/v3/external_auth.proto
@@ -46,9 +46,9 @@ message DeniedHttpResponse {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.service.auth.v2.DeniedHttpResponse";
 
-  // This field allows the authorization service to send a HTTP response status
-  // code to the downstream client other than 403 (Forbidden).
-  type.v3.HttpStatus status = 1 [(validate.rules).message = {required: true}];
+  // This field allows the authorization service to send an HTTP response status code to the
+  // downstream client. If not set, Envoy sends ``403 Forbidden`` HTTP status code by default.
+  type.v3.HttpStatus status = 1;
 
   // This field allows the authorization service to send HTTP response headers
   // to the downstream client. Note that the :ref:`append field in HeaderValueOption <envoy_v3_api_field_config.core.v3.HeaderValueOption.append>` defaults to
@@ -110,7 +110,9 @@ message CheckResponse {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.service.auth.v2.CheckResponse";
 
-  // Status `OK` allows the request. Any other status indicates the request should be denied.
+  // Status `OK` allows the request. Any other status indicates the request should be denied, and
+  // for HTTP filter, if not overridden by :ref:`denied HTTP response status <envoy_v3_api_field_service.auth.v3.DeniedHttpResponse.status>`
+  // Envoy sends ``403 Forbidden`` HTTP status code by default.
   google.rpc.Status status = 1;
 
   // An message that contains HTTP response attributes. This message is